Hi there, On Wed, 28 Apr 2021, Robert Kudyba wrote:
Since the signature name has .UNOFFICIAL and starts with MBL I believe that's Malware Block List. I've submitted a sample to fp (at) malwarepatrol.net. Is more than one sample needed? I'm posting here to let others know and as they don't appear to acknowledge nor reply.
I can't help you with anything related to Malwarepatrol.
Why don't these come up? sigtool --find-sigs MBL_85256034*|sigtool --decode-sigs sigtool --find-sigs MBL_85256034|sigtool --decode-sigs sigtool --find-sigs MBL_85256034.UNOFFICIAL|sigtool --decode-sigs
As per the documentation I would write all those as sigtool --find-sigs=MBL... but I find that they seem to work without the '=' and that's a little surprising to me. I don't know why you're not seeing the output that you expect, maybe sigtool isn't looking where you think it's looking, or what you think is there isn't there? Also, you need to be careful with special characters like '*', which generally need to be hidden from the shell either by 'quoting' or by 'escaping' them - otherwise the shell may expand them before handing the (now probably useless) command to your utility. So I'd write sigtool --find-sigs='MBL_85256034*' | sigtool --decode-sigs
I also see multiple signature whitelists with some duplication: /var/lib/clamav/securiteinfo.ign2 /var/lib/clamav/sigwhitelist.ign2 /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.ign2 /var/lib/clamav-unofficial-sigs/dbs-ss/sigwhitelist.ign2 That should be ok?
The duplication? Shouldn't be a problem. Small efficiency loss. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
